Thread Context
This API allows the bot to get additional information about the user and where the webview was invoked.
It's useful in creating interactive group experiences and games as well to restrict any content that was intended to be shared only to a certain thread.
Using getContext()
Availability
This API is available only in Messenger on v113 on Android and v114 on iOS.
To check for its availability on a given client, call getSupportedFeatures() and check for the "context" key in the response.
Call this function to get the user ID, thread ID, and thread type.
MessengerExtensions.getContext('YOUR_APP_ID',
function success(result){
...
},
function error(result){
...
}
);Parameters
| Parameter | Description | Type | Required |
|---|---|---|---|
app ID | Your bot's app ID | String | Yes |
success callback | This function will be called and pass an object containing | Function | Yes |
error callback | This function will be called if Messenger was unable to provide the context info. | Function | Yes |
The response passed to the success callback will be a JavaScript object in the following format:
Response Format
{
"thread_type": "GROUP",
"tid": "1411911565550430",
"psid": "1293479104029354",
"signed_request": "YOUR_SIGNED_REQUEST"
}
Fields
| Field | Description | Type |
|---|---|---|
| The thread ID that the webview was invoked in. | String |
| One of the following values:
| String |
| A page-scoped user ID for the user viewing the page. | String |
| A signed request containing the above information. | String |
Validating the signed_request
There are situations where you may wish to transmit the information obtained from getContext() to your backend and validate it before performing some action like a login or purchase. This allows you to ensure that the information really did come from Messenger and was not spoofed.
The signed_request is base64url encoded and signed with an HMAC version of your App Secret, based on the OAuth 2.0 spec.
You can validate it with the following 4 steps:
- Split the signed request into two parts delimited by a
'.'character (e.g.238fsdfsd.oijdoifjsidf899) - Decode the first part — the encoded signature — from base64url encoding.
- Decode the second part — the payload — from base64url encoding. This can be used on the server side if needed.
- Hash the original payload using HMAC SHA-256 and your app secret and confirm that it is equal to the encoded signature originally passed.
- You may also wish to validate the
issued_attimestamp in the payload to ensure the recency of the request.
This can be done in any modern programming language. Below is an example in PHP:
function parse_signed_request($signed_request) {
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$secret = "appsecret"; // Use your app secret here
// Decode the data
$sig = base64_url_decode($encoded_sig);
$data = json_decode(base64_url_decode($payload), true);
// Confirm the signature
$expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
if ($sig !== $expected_sig) {
error_log('Bad Signed JSON signature!');
return null;
}
return $data;
}
function base64_url_decode($input) {
return base64_decode(strtr($input, '-_', '+/'));
}Decoding the payload will yield an object with the same information as originally returned by getContext(), but with the addition of algorithm, issued_at, and page_id fields:
{
"psid": "1293479104029354",
"algorithm": "HMAC-SHA256",
"thread_type": "GROUP",
"tid": "1411911565550430",
"issued_at": 1491351619,
"page_id": 167938560376726
}Remember, to avoid accidentally divulging your app secret, this validation should happen on your server and never in client-side code.